Two-factor security for mobile transactions

Top story

Zurich, Switzerland, 18 October 2013—IBM scientists have developed a new mobile authentication security technology based on the radio standard known as near-field communication (NFC). The technology provides an extra layer of security when using an NFC-enabled device and a contactless smartcard to conduct mobile transactions, including online banking and digital signatures when accessing a corporate Intranet or private cloud.

According to a new report by ABI Research, the number of NFC devices in use will
exceed 500 million in 2014. This statistic and the fact that 1 billion mobile phone users
will use their devices for banking purposes by 2017* make for an increasingly
opportune target for hackers.

To address these challenges, IBM scientists in Zurich, also known for inventing an
operating system used to power and secure hundreds of millions of smartcards, have
developed an additional layer, a so-called two-factor authentication, for securing mobile
transactions.

Today many consumers use two-factor authentication from a computer, for example,
when they are asked for both a password and a verification code sent by SMS. IBM
scientists are applying the same concept using a PIN and a contactless smartcard.
The contactless smartcard could be a bank-issued ATM card or an employer-issued
identity card to access a corporate Intranet or private cloud.

“Our two-factor authentication technology based on the Advanced Encryption Standard
provides a robust security solution with no learning curve,” said Diego Ortiz-Yepes, a mobile security scientist at IBM Research.

How it works

The user simply holds the contactless smartcard next to the NFC reader of the mobile
device and after keying in their personal identification number (PIN), a one-time
code would be generated by the card and sent to the server by the mobile device.
The IBM technology is based on end-to-end encryption between the smartcard and
the server using the National Institute of Standards & Technology (NIST) AES (Advanced
Encryption Standard) scheme. Current technologies on the market require
users to carry an additional device, such as a random password generator, which is
less convenient and in some instances less secure.

The technology, which is available today for any NFC-enabled Android 4.0 device, is
based on IBM Worklight, a mobile application platform IBM acquired in 2012. Future
updates will include additional NFC-enabled phones based on market trends.

About IBM MobileFirst

As the first new technology platform for business to emerge since the World Wide
Web, mobile computing represents one of the greatest opportunities for organizations
to expand their business. Based on nearly 1,000 customer engagements, more
than 10 mobile-related acquisitions in the last four years, a team of thousands of mobile
experts and 270 patents in wireless innovations, IBM MobileFirst provides the
key elements of an application and data platform with the management, security and
analytics capabilities needed for the enterprise.

To learn more, visit the IBM MobileFirst press kit or
webpage. Follow @ibmmobile, #ibmmobile on Twitter, and see
IBM MobileFirst on YouTube, Tumblr and Instagram.